Welcome and General Discussion

Welcome to the MIT Real ID Online Discussion Forum.  This is a facilitated discussion of the problems and prospects related to the Real ID Act of 2005, enacted by Congress and signed by the President.  For purposes of this online discussion, we are focused on the driver license and identity management aspects of the legislation, and not on the immigration and other aspects of the law.

Through the day on September 19th, 2005, and through the remainder of that week, you will see new topics posted by our panel of expert discussion facilitators on various aspects of this new law.  Please comment to each posted topic that interests you. 

For more an overview of each of the key topic areas, please click on the link on the left side of this web site to “OVERVIEW OF TOPICS AND THIS FORUM”, and to link immediately to posts made in each topic area, just click on a topic on the right side of this web page (e.g. “2. Security and Law Enforcement” or “3. Civil Liberties and Privacy”). 

This “Welcome and General Discussion Topic” can be used for any general comments you may have regarding the Real ID Act, that don’t seem to fall directly under one of the existing topic areas. 

For more information on this Online Discussion Forum, and about the in-person event we will host at the MIT Media Lab in November, please see http://ecitizen.mit.edu

Thanks for your interest in this important and timely event. We welcome your participation!

Thank you,
- Daniel Greenwood
   Lecturer, MIT Media Lab
   Director, MIT E-Commerce Architecture Program
   http://ecitizen.mit.edu

Why Secure Licenses are Important

The need to have a secure driver’s license has never been more dire. In a day and age when licenses (and state-issued ID cards) operate as this Nation’s most widely accepted and requested type of identification, it is crucial that we take steps to implement some kind of standards on our licenses, and it is equally important that each state abide by the same set of standards, given that one state’s license is accepted in every other state across the Union.

The 9/11 hijackers knew well that having a license in this country was the key to operating just under the radar screen, which is why they sought as few as 38 licenses (official number) and state-issued IDs between them, and as many as 63 (unconfirmed number). Not only did those licenses allow them to board airplanes that fateful morning, but more importantly, they allowed the hijackers to operate inside our borders plotting, scheming and executing important parts of their attacks for months and years before the September 11^th.

The 9/11 Commission specifically recommended that the federal government establish a set of uniform standards for the states to follow in driver license issuance, and that is where the REAL ID Act came from. In short, it requires state DMVs to: (among other things)

• establish an applicant is legally present;

• tie license expiration to visa expiration;

• include a biometric identifier (to be determined by the Department of Homeland Security);

• check the validity of all social security numbers with the Social Security Administration;

• provide all other state DMVs with access to each others records to ensure multiple licensing from state to state is not occurring.

Many people argue that the 9/11 hijackers were here legally and would still have gotten licenses anyway, even if REAL ID had been in place. But it’s not true that they were all here legally, many of them came to and left the country several times under different visas but kept their various driver licenses throughout. And specific provisions set forth under the driver license section of the REAL ID Act would have addressed this very issue first of all by tying visa expiration to license expiration, and secondly each state DMV would have been made aware when each of the hijackers attempted to obtain multiple licenses.

The REAL ID Act is certainly not going to stop terrorism – to suggest otherwise is irresponsible. But what it will do, is disrupt terrorist travel by making the terrorists who are here already and have licenses easier to track, and by denying terrorists the most common, widely recognized form if ID available in this country and thus the ability to blend in and get to work plotting more attacks, without fear of being noticed or uncovered.

Imagine what might have happened if Mohammed Atta and his henchmen were forced to produce their Saudi passports – instead of their driver licenses – when enrolling in flight school.

Why Convergence?

Link: http://www.ec3.org/Downloads/2002/id_management.pdf

http://www.ec3.org/Downloads/2003/identity_infrastructure.pdf

http://www.ec3.org/Downloads/2003/EnterpriseIdentity.pdf

I helped to develop the above documents with a number of smart capable people.  You should feel free to affix blame for the bad parts to me and attribute the good parts to my colleagues.  These writings should help readers understand a good deal of my thoughts on identity and ID management as a starting point for this conversation.

I have spent most of the last 5 or 6 years working on electronic Government/Commerce issues and implementations and a large part of that time spent has been focused on identity related work.  There are many types of interactions and transactions for which the interacting parties might choose or prefer to be anonymous to each other or use pseudonymous identifiers.  These types of interactions have not captured much of my attention or focus.  My efforts have centered upon interactions in which, for good reasons or not, there existed a need to connect a virtual identity to a real world person or to express the identity of a real person in the virtual world.  Generally, these interactions are those in which a real world person is known and an organization wants to interact electronically with that person or in which there is a requirement for trust between the parties to a transaction and/or that there is some significant value, privacy or security requirement to the transaction.

Throughout our history (and mostly metaphorically for us today) the difference between being dinner or diner depended upon our ability to read and decipher physical cues to behavior.  There are a lot of hard-wired mechanisms in each of us that tie our trust of another to physical attributes we can perceive.  Leaving aside for the moment whether those mechanisms function effectively or not, a lot of us reserve our trust for another to those from whom we can derive clues to their character from their physical person.  Our social interaction and enforcement mechanisms are based on physical restraints and punishment.  The virtual world disrupts those mechanisms.  Additionally, I believe the anonymity of the virtual world has disabled some restraints that prevented most people from performing a variety of acts.  Some of these acts result in an explosion of creativity and invention.  Others lead to an explosion of mischief and crime.

A variety of reasons and excuses have led to a convergence of physical and virtual ID.  As Director of Digital Government for the State of

Iowa

I worked with a large number of people to create a precursor to REALID.  I believe that we were on a course to build a top-quality system that would have met a wide range of uses while maintaining requirements to meet the needs of security, privacy, individual control and information.  One of the primary, maybe the most important lesson from that work has three components:

1. REAlID done right = good

2. RealID done wrong = very bad

3. The bar is high for such a system to be good.

       We aren't close yet!

There is a tremendous value to be had in an identity system that is backed by government in which a real person can perform inline and online transactions, safely and securely in appropriately private ways.  People function in both the real and virtual worlds.  The tools and systems they use should provide a seamless and transparent ability to function in both worlds.  A proper system will foster creativity and invention and limit mischief and crime.

I look forward to the discussion this week.

REAL ID is a grave danger to civil liberties and privacy

Many people and organizations have sharply criticized the "national ID" aspects of the REAL ID Act. Even before REAL ID, the National Academy of Sciences recognized that a system of national ID not only poses a "wide range of technological and logistical challenges," but has "serious potential for infringing on the rights and freedoms of ordinary citizens." ID system proponents seem to think that the security problem lies in being unable to verify identity. But as security expert Bruce Schneier puts it, “much of the utility of the national ID card assumes a pre-existing database of bad guys. We have no such database.” Thus, a basic issue is that "national ID" is not a card, but an entire system of databases, information gathering activities, and human beings making fateful judgments about individuals based on that overall system. The obvious implication is that the idea of a national ID carries with it a powerful commitment to databases of "bad guys," which in turn seems to bring the commitment to widespread social surveillance in order to try to distinguish the suspicious from the ordinary. As Prof. Daniel Solove has argued, we should fear such risks as “hasty judgment in times of crisis, the disparate impact of law enforcement on particular minorities, cover-ups, petty retaliation for criticism, blackmail, framing, sweeping and disruptive investigations, racial, ethnic, or religious profiling, and so on.” Let's not forget, btw, that "REAL IDs" will probably be more technologically "interesting" than the gov't ID cards we're familiar with (in the sense of the Chinese curse, "may you live in interesting times"). Not only are computer databases and networks a very different thing today than when, say, Social Security Numbers were introduced, REAL IDs appear closely tied politically to two general technologies -- RFID (radio-frequency ID) and biometrics -- that privacy advocates anticipate will radically alter the contingencies of individuals' control over their personal information and the association of one's identities with one's activities, affecting our ability to act privately and anonymously. So let me throw this out: A national ID system, especially one augmented by RFID and biometrics, is an expensive enterprise with many civil liberties risks and little prospect of success in fighting terrorism. As a security system, a national ID system is a form of thin perimeter security with many vulnerable links. Thus, a national ID system points in only two directions. It will either be meaningless (but expensive) because it will be easily penetrated at its weak points, or be effective because it is tough at every point — but at the cost of a free society.

DMV's as an Indentity Bureau?

The traditional approach to identification at a motor vehicle agency in the pre-911 world was that DMV’s issued a driver’s license that was evidence that the holder met the minimum standards for the driver privilege. Identity verification was a necessary part of that process to prevent fraud and unauthorized people from obtaining a license. In short, motor vehicle departments generally saw and to a large degree still do see themselves as issuing driver’s licenses that are also used for identification.

The process for issuing a first time driver’s license involves presenting a set of documentation that proves who you are and where you live. The states often break this into primary and secondary forms of documentation. Examples of primary documentation include US Passport, expired or current state driver’s licenses, firearms permits, certain immigration documents, birth certificate etc. Examples of secondary documentation include home mortgage papers, life insurance policies, notarized tax returns, marriage/divorce certificates, non-US birth certificates etc. (See examples from the New York DMV http://www.nydmv.state.ny.us/idlicense.htm#idpoints) These documents are not verified for authenticity with the issuing agency except for half the states electronically verify Social Security Number and in some states electronically verify immigration status with the Bureau of Immigration. Only a few states retain copies or images of the source documents presented for identification. And, the person who performs all of the verifications is often an entry level counter clerk. Further, one has to only stop and consider what individuals who have just been through hurricane Katrina might have in the form of documentation readily available to them to realize that every one of these identification standards is flexible and can be adjusted as the need arises.

Compare this process with process that is used to actually issue a driver’s license. In every state if you haven’t been licensed before, you have to take a written examination and a practical examination in the form of a road test. (Note some states still require the written exam even if you are already licensed in another state.) The road test is usually administered by an “examiner”; in some states it is administered by a uniformed officer.

The contrast is apparent, motor vehicle departments are clearly more concerned about your ability to drive than identity. And probably rightly so as that is what their state legislation has told them to be concerned with. This isn’t to say they are not concerned with identity, but it is to say that probably no Motor Vehicle Departments enabling legislation makes them the “Department of Identity” giving them the authority and stature to function as such. Thus, it will take a major change to implement Real ID as this Act will put the identity validation process on at least equal if not greater footing than validating one’s ability to drive.

What will this mean to a Motor Vehicle Department and its constituents?

• Depending on whatever federal regulations are put in play, it is going to mean additional time and effort at the initial stage of obtaining a driver’s license and possibly the license renewal.
• How will “additional time” at the motor vehicle department play with the general public? Most DMV’s have gone to great lengths to encourage you not to come to the office, to keep lines short and generally remove the stigma that they have operated under for many years. Real ID, without additional resources (and probably resources better compensated than your average counter clerk) will probably increase the length of the lines.
• Will states consider having two types of licenses, one that is full service and can serve as a federally approved ID and another that is a valid license but doesn’t meet the id standard? Imagine if there were two lines, one where you wait longer but get the federally approved ID vs. the other where you just get the basic driver’s license.
• Or, will the Real ID act bring an end to the current on-line renewal of driver’s licenses?
• Will there be an opportunity for a commercial for-profit ‘trusted agent’ to perform identity verification as a value added service and submit verified identities to the DMV?
• What will states need to do to prevent internal fraud?—background checks, physical security of license materials and licensing employees.
• How do you educate the public to understand more complex identification requirements so they don’t have to make visits? If half of the people in the office have to make a return visit to complete the verification that is a 50% increase in volume.

Bottom line is either the motoring public has to be willing to wait much longer in line or states are going to have to spend significant on-going amounts of money supporting Motor Vehicle departments.

What do you think??? What do you prefer?

Consensus and Controversy

It is refreshing to take part in a discussion about national ID systems that -- unlike most discussions  of this topic -- is not dominated by hysteria.

Here are a few propositions that I think might form a basis for going forward in reasoned debate.  (I of course welcome debate on the accuracy of these propositions as well as the conclusions that might flow from them)

Base propositions:

1.  A national ID is not the magic bullet that will make the country safe from terrorism.   Given the very poor controls we have on birth certificates at home (not to mention the impossibility of relying on the quality control foreign credentials) it at most it creates a speedbump for foreign terrorists who will need to get phony versions of the credentials used as the basis for issuing the US ID.

2.  A national ID system cannot secure our borders.

3.  A national ID system can, however, assist in making illegal immigration more unpleasant for immigrants by, for example, making it more difficult to employ them.   All other things being equal, this should reduce the incentive for that part of illegal immigration driven primarily by economic considerations.

4. More generally, a national ID system has some substantial potential to be the cornerstone of a national fraud-prevention system.   

5. A national ID system potentially creates new avenues for super-fraud and highly effective identity theft.

6. A national ID system potentially creates new avenues for governmental dossier creation on all citizens who use the national ID.  These opportunities exist even if the system is not misused, and are greater if it is misused.  As Lee Tien put it "'national ID' is not a card, but an entire system of databases, information gathering activities, and human beings making fateful judgments about individuals based on that overall system."

7.  A National Research Council report ("Who Goes There -- Authentication Through the Lens of Privacy") noted this:

Finding 6.5: State-issued driver's licenses are a de facto nationwide identity system. They are widely accepted for transactions that require a  form of government-issued photo ID.

Real ID substantially increases the likelihood that driver's licenses will become a defacto national ID for an even greater range of offline and online transactions.

8.  The extent to which we reap the costs and benefits listed above is very sensitive to how the system is actually implemented.   For example, a well-implemented biometric identifier makes fraud and identity theft more difficult, but also makes it more devastating when it happens since people become more reliant on the ID's security (and it is hard to grow a new retina).

Am I correct that the above propositions are (in the abstract) uncontroversial, and the controversy is in fact about how big and how likely the positive and negative effects are, and how they compare to each other?

Or, as Dan Combs put it in his contribution,

1. REAlID done right = good

2. RealID done wrong = very bad

3. The bar is high for such a system to be good.

        We aren't close yet!

I will add the following personal observations, which I suspect might be more controversial than the above:

I.   For any ID system to be implemented competently (let alone in a fashion that inspires trust) supervisory authority must be taken out of the hapless Department of Homeland Security.

II.  For Real ID to be implemented competently it must have federal funding rather than being left to the states as an unfunded mandate.

III.  Real ID driver's licenses are likely to become a de facto national ID -- much more than current driver's licenses -- not just because of the federal pressure driven by national security needs (or rhetoric) but also because of commercial pressure from a variety of industries.

IV. The ID must be transparent -- end users must be able to read everything coded on the ID itself. 

V.  If we are going to have a real or de facto national ID card, all citizens must have a right to review and correct information held on them in both public and private dossiers linked to the ID.

(For more about what I think, see my paper, The Uneasy Case for National ID Cards.)

Homeland Security Regulations for Real ID

The Department of Homeland Security is now considering the promulgation of regulations implementing the Real ID Act of 2005.  These regulations offer an opportunity to address some of the open issues posed by the wording of the statute.  Depending upon how the final regulations are settled, there is also a potential to compound some of the issues posed by the current statute.   This topic thread is for participants in this Online Forum on the Real ID Act to share ideas you may have on problems and prospects associated with potential regulations under this federal law.  Some questions to stir dialog include:

1. What do you think Homeland Security should consider as it drafts the regulations?

2. Is there anything you believe Homeland Security should avoid in their regulations?

3. Are there issues arising out of this statute that can be resolved by regulations?

All comments posted to this thread will be presented, as part of our conference proceedings, and published as part of our in-person conference to happen on December 5, 2005.  The conference proceedings will also be presented to the Department of Homeland Security, as a record of the remarks made by participants, for their considerations as they determine how to implement the Real ID Act.  I look forward to reading your comments.